defirisk.co
rubric v1.7.0

Bridge ecrecover checks result ≠ address(0)

Circle USYC's assessment for RD-F-151 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] Taxonomy mismatch: CrossChainTeller uses Circle CCTP attestation for message validation, not ecrecover. Source inspection of both Ethereum and BSC CrossChainTeller contracts confirmed no ecrecover usage for bridge message validation. CCTP processes message attestations through Circle's infrastructure (redeemComplete(message, attestation)). Wormhole-class ecrecover-zero-address vulnerability pattern structurally absent. Not_applicable.

Sources #

  • Etherscan
    CrossChainTeller BSC - BSCScanCrossChainTeller BSC at 0xf38979E05650be7926EA07BB59C48Fb9b1DB3D08 - confirmed no ecrecover for validation; CCTP attestationretrieved 2026-05-16
  • Etherscan
    CrossChainTeller Ethereum - EtherscanCrossChainTeller Ethereum at 0x5dbeCcECEbCdC2ce3258f6E638373d2923560c7d - source confirms no ecrecover usage for message validation; CCTP attestation model usedretrieved 2026-05-16

Methodology #

Determine whether the bridge verifier code rejects `ecrecover` returns of `address(0)`.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol circle-usyc factor RD-F-151 score not_applicable collected_at 2026-05-15 21:56:43